Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/SUMMARY.md

@@ -266,6 +266,7 @@
   - [RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato](windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
   - [SeDebug + SeImpersonate copy token](windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md)
   - [SeImpersonate from High To System](windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md)
+  - [Semanagevolume Perform Volume Maintenance Tasks](windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md)
   - [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
 - [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
   - [Abusing Active Directory ACLs/ACEs](windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md)
@@ -497,6 +498,7 @@
   - [Harvesting tickets from Windows](network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
   - [Harvesting tickets from Linux](network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
   - [Wsgi](network-services-pentesting/pentesting-web/wsgi.md)
+  - [Zabbix](network-services-pentesting/pentesting-web/zabbix.md)
 - [110,995 - Pentesting POP](network-services-pentesting/pentesting-pop.md)
 - [111/TCP/UDP - Pentesting Portmapper](network-services-pentesting/pentesting-rpcbind.md)
 - [113 - Pentesting Ident](network-services-pentesting/113-pentesting-ident.md)
@@ -765,6 +767,7 @@
 - [Physical Attacks](hardware-physical-access/physical-attacks.md)
 - [Escaping from KIOSKs](hardware-physical-access/escaping-from-gui-applications.md)
 - [Firmware Analysis](hardware-physical-access/firmware-analysis/README.md)
+  - [Android Mediatek Secure Boot Bl2 Ext Bypass El3](hardware-physical-access/firmware-analysis/android-mediatek-secure-boot-bl2_ext-bypass-el3.md)
   - [Bootloader testing](hardware-physical-access/firmware-analysis/bootloader-testing.md)
   - [Firmware Integrity](hardware-physical-access/firmware-analysis/firmware-integrity.md)
 
@@ -857,6 +860,7 @@
 - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
   - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
   - [ios CVE-2021-30807-IOMobileFrameBuffer](binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md)
+  - [Imessage Media Parser Zero Click Coreaudio Pac Bypass](binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md)
   - [ios Corellium](binary-exploitation/ios-exploiting/ios-corellium.md)
   - [ios Heap Exploitation](binary-exploitation/ios-exploiting/ios-example-heap-exploit.md)
   - [ios Physical UAF - IOSurface](binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.md)

src/binary-exploitation/ios-exploiting/README.md

@@ -850,7 +850,6 @@ From the screenshot:
 | `default.kalloc.32`  | 32 bytes     | Small structs, object headers.                                              |
 | `default.kalloc.64`  | 64 bytes     | IPC messages, tiny kernel buffers.                                          |
 | `default.kalloc.128` | 128 bytes    | Medium objects like parts of `OSObject`.                                    |
-| `default.kalloc.256` | 256 bytes    | Larger IPC messages, arrays, device structures.                             |
 | …                    | …            | …                                                                           |
 | `default.kalloc.1280`| 1280 bytes   | Large structures, IOSurface/graphics metadata.                              |
 
@@ -1191,4 +1190,10 @@ If you want to check for vulnerabilities in a specific version of iOS, you can c
 For example, the versions `15.1 RC`, `15.1` and `15.1.1` use the version `Darwin Kernel Version 21.1.0: Wed Oct 13 19:14:48 PDT 2021; root:xnu-8019.43.1~1/RELEASE_ARM64_T8006`.
 
 
+### iMessage/Media Parser Zero-Click Chains
+
+{{#ref}}
+imessage-media-parser-zero-click-coreaudio-pac-bypass.md
+{{#endref}}
+
 {{#include ../../banners/hacktricks-training.md}}

src/binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md

@@ -0,0 +1,120 @@
+# iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → CryptoTokenKit Abuse
+
+{{#include ../../banners/hacktricks-training.md}}
+
+This page summarizes a modern iOS zero-click attack surface and an observed end-to-end exploitation chain abusing iMessage automatic media parsing to compromise CoreAudio, bypass BlastDoor, defeat Pointer Authentication (PAC) via an RPAC path, escalate to kernel, and finally abuse CryptoTokenKit for unauthorized key uses.
+
+> Warning: This is an educational summary to help defenders, researchers, and red teams understand the techniques. Do not use offensively.
+
+## High-level chain
+
+- Delivery vector: a malicious audio attachment (e.g., .amr / MP4 AAC) sent via iMessage/SMS.
+- Auto-ingestion: iOS auto-parses media for previews and conversions without user interaction.
+- Parser bug: malformed structures hit CoreAudio’s AudioConverterService and corrupt heap memory.
+- Code exec in media context: RCE inside the media parsing process; reported to bypass BlastDoor isolation in specific paths (e.g., “known sender” framing path).
+- PAC/RPAC bypass: once arbitrary R/W is achieved, a PAC bypass in the RPAC path enables stable control flow under arm64e PAC.
+- Kernel escalation: the chain converts userland exec into kernel exec (e.g., via wireless/AppleBCMWLAN code paths and AMPDU handling as seen in logs below).
+- Post-exploitation: with kernel, abuse CryptoTokenKit to perform signing with Secure Enclave–backed keys, read sensitive data paths (Keychain contexts), intercept messages/2FA, silently authorize actions, and enable stealth surveillance (mic/camera/GPS) without prompts.
+
+## iMessage/BlastDoor attack surface notes
+
+BlastDoor is a hardened service designed to parse untrusted message content. However, observed logs indicate paths where protections may be bypassed when messages are framed from a “known sender” and when additional filters (e.g., Blackhole) are relaxed:
+
+```text
+IDSDaemon    BlastDoor: Disabled for framing messages
+SpamFilter   Blackhole disabled; user has disabled filtering unknown senders.
+```
+
+Takeaways:
+- Auto-parsing still represents a remote, zero-click attack surface.
+- Policy/context decisions (known sender, filtering state) can materially change the effective isolation.
+
+## CoreAudio: AudioConverterService heap corruption (userland RCE)
+
+Affected component:
+- CoreAudio → AudioConverterService → AAC/AMR/MP4 parsing and conversion flows
+
+Observed parser touchpoint (logs):
+
+```text
+AudioConverterService    ACMP4AACBaseDecoder.cpp: inMagicCookie=0x0, inMagicCookieByteSize=39
+```
+
+Technique summary:
+- Malformed container/codec metadata (e.g., invalid/short/NULL magic cookie) causes a memory corruption during decode setup.
+- Triggers in the iMessage media conversion path without taps by the user.
+- Yields code execution in the media parsing process. The write-up claims this escapes BlastDoor in the observed delivery path, enabling the next stage.
+
+Practical tips:
+- Fuzz AAC/AMR magic cookie and MP4 codec atoms when targeting AudioConverterService conversions.
+- Focus on heap overflows/underflows, OOB reads/writes, and size/length confusion around decoder initialization.
+
+## PAC bypass via RPAC path (CVE-2025-31201)
+
+arm64e Pointer Authentication (PAC) impedes hijacking of return addresses and function pointers. The chain reports defeating PAC using an RPAC path once arbitrary read/write is available.
+
+Key idea:
+- With arbitrary R/W, attackers can craft valid, re-signed pointers or pivot execution to PAC-tolerant paths. The so-called “RPAC path” enables control-flow under PAC constraints, turning a userland RCE into a reliable kernel exploit setup.
+
+Notes for researchers:
+- Collect info leaks to defeat KASLR and stabilize ROP/JOP chains even under PAC.
+- Target callsites that generate or authenticate PAC in controllable ways (e.g., signatures generated on attacker-controlled values, predictable context keys, or gadget sequences that re-sign pointers).
+- Expect Apple hardening variance by SoC/OS; reliability hinges on leaks, entropy, and robust primitives.
+
+## Kernel escalation: wireless/AMPDU path example
+
+In the observed chain, once in userland with memory corruption and a PAC bypass primitive, kernel control was achieved via code paths in the Wi‑Fi stack (AppleBCMWLAN) under malformed AMPDU handling. Example logs:
+
+```text
+IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 14
+IO80211ControllerMonitor::setAMPDUstat unhandled kAMPDUStat_ type 13
+```
+
+General technique:
+- Use userland primitives to build kernel R/W or controlled call paths.
+- Abuse reachable kernel surfaces (IOKit, networking/AMPDU, media shared memory, Mach interfaces) to achieve kernel PC control or arbitrary memory.
+- Stabilize by building read/write primitives and defeating PPL/SPTM constraints where applicable.
+
+## Post-exploitation: CryptoTokenKit and identity/signing abuse
+
+Once kernel is compromised, processes like identityservicesd can be impersonated and privileged cryptographic operations invoked via CryptoTokenKit without user prompts. Example logs:
+
+```text
+CryptoTokenKit    operation:2 algo:algid:sign:ECDSA:digest-X962:SHA256
+CryptoTokenKit    <sepk:p256(d) kid=9a86778f7163e305> parsed for identityservicesd
+```
+
+Impact:
+- Use Secure Enclave–backed keys for unauthorized signing (tokens, messages, payments), breaking trust models even if keys are not exported.
+- Intercept 2FA codes/messages silently; authorize payments/transfers; enable stealth mic/camera/GPS.
+
+Defensive angle:
+- Treat post-kernel integrity breaks as catastrophic: enforce runtime attestation for CTK consumers; minimize ambient authority; verify entitlements at the point of use.
+
+## Reproduction and telemetry hints (lab only)
+
+- Delivery: send a crafted AMR/MP4-AAC audio to the target device via iMessage/SMS.
+- Observe telemetry for the foregoing log lines around parsing and wireless stack reactions.
+- Ensure devices are fully patched; only test in isolated lab setups.
+
+## Mitigations and hardening ideas
+
+- Patch level: iOS 18.4.1 reportedly fixes this chain; keep devices up to date.
+- Parser hardening: strict validation for codec cookies/atoms and lengths; defensive decoding paths with bounds checks.
+- iMessage isolation: avoid relaxing BlastDoor/Blackhole in “known sender” contexts for media parsing.
+- PAC hardening: reduce PAC-gadget availability; ensure signatures are bound to unpredictable contexts; remove PAC-tolerant bypassable patterns.
+- CryptoTokenKit: require post-kernel attestation and strong entitlements at call-time for key-bound operations.
+- Kernel surfaces: harden wireless AMPDU/status handling; minimize attacker-controlled inputs from userland after compromise.
+
+## Affected versions (as reported)
+
+- iOS 18.x prior to iOS 18.4.1 (April 16, 2025).
+- Primary: CoreAudio → AudioConverterService (media auto-parsing path via iMessage/SMS).
+- Chained: PAC/RPAC path and kernel escalation via AppleBCMWLAN AMPDU handling.
+
+## References
+
+- [iOS Crypto Heist repo (README)](https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201)
+- [Remote Crypto Attack Chain details](https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/main/Remote%20Crypto%20Attack%20Chain%20.md)
+
+{{#include ../../banners/hacktricks-training.md}}

src/binary-exploitation/libc-heap/heap-memory-functions/free.md

@@ -7,19 +7,21 @@
 (No checks are explained in this summary and some case have been omitted for brevity)
 
 1. If the address is null don't do anything
-2. If the chunk was mmaped, mummap it and finish
+2. If the chunk was mmaped, munmap it and finish
 3. Call `_int_free`:
    1. If possible, add the chunk to the tcache
    2. If possible, add the chunk to the fast bin
    3. Call `_int_free_merge_chunk` to consolidate the chunk is needed and add it to the unsorted list
 
-## \_\_libc_free <a href="#libc_free" id="libc_free"></a>
+> Note: Starting with glibc 2.42, the tcache step can also take chunks up to a much larger size threshold (see “Recent glibc changes” below). This changes when a free lands in tcache vs. unsorted/small/large bins.
+
+## __libc_free <a href="#libc_free" id="libc_free"></a>
 
 `Free` calls `__libc_free`.
 
 - If the address passed is Null (0) don't do anything.
 - Check pointer tag
-- If the chunk is `mmaped`, `mummap` it and that all
+- If the chunk is `mmaped`, `munmap` it and that all
 - If not, add the color and call `_int_free` over it
 
 <details>
@@ -78,9 +80,9 @@ libc_hidden_def (__libc_free)
 
 </details>
 
-## \_int_free <a href="#int_free" id="int_free"></a>
+## _int_free <a href="#int_free" id="int_free"></a>
 
-### \_int_free start <a href="#int_free" id="int_free"></a>
+### _int_free start <a href="#int_free" id="int_free"></a>
 
 It starts with some checks making sure:
 
@@ -121,7 +123,7 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 
 </details>
 
-### \_int_free tcache <a href="#int_free" id="int_free"></a>
+### _int_free tcache <a href="#int_free" id="int_free"></a>
 
 It'll first try to allocate this chunk in the related tcache. However, some checks are performed previously. It'll loop through all the chunks of the tcache in the same index as the freed chunk and:
 
@@ -181,7 +183,7 @@ If all goes well, the chunk is added to the tcache and the functions returns.
 
 </details>
 
-### \_int_free fast bin <a href="#int_free" id="int_free"></a>
+### _int_free fast bin <a href="#int_free" id="int_free"></a>
 
 Start by checking that the size is suitable for fast bin and check if it's possible to set it close to the top chunk.
 
@@ -278,7 +280,7 @@ Then, add the freed chunk at the top of the fast bin while performing some check
 
 </details>
 
-### \_int_free finale <a href="#int_free" id="int_free"></a>
+### _int_free finale <a href="#int_free" id="int_free"></a>
 
 If the chunk wasn't allocated yet on any bin, call `_int_free_merge_chunk`
 
@@ -317,7 +319,7 @@ If the chunk wasn't allocated yet on any bin, call `_int_free_merge_chunk`
 
 </details>
 
-## \_int_free_merge_chunk
+## _int_free_merge_chunk
 
 This function will try to merge chunk P of SIZE bytes with its neighbours. Put the resulting chunk on the unsorted bin list.
 
@@ -383,7 +385,66 @@ _int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size)
 
 </details>
 
-{{#include ../../../banners/hacktricks-training.md}}
+---
+
+## Attacker notes and recent changes (2023–2025)
+
+- Safe-Linking in tcache/fastbins: `free()` stores the `fd` pointer of singly-linked lists using the macro `PROTECT_PTR(pos, ptr) = ((size_t)pos >> 12) ^ (size_t)ptr`. This means crafting a fake next pointer for tcache poisoning requires the attacker to know a heap address (e.g., leak `chunk_addr`, then use `chunk_addr >> 12` as the XOR key). See more details and PoCs in the tcache page below.
+- Tcache double-free detection: Before pushing a chunk into tcache, `free()` checks the per-entry `e->key` against the per-thread `tcache_key` and walks the bin up to `mp_.tcache_count` looking for duplicates, aborting with `free(): double free detected in tcache 2` when found.
+- Recent glibc change (2.42): The tcache grew to accept much larger chunks, controlled by the new `glibc.malloc.tcache_max_bytes` tunable. `free()` will now try to cache freed chunks up to that byte limit (mmapped chunks are not cached). This reduces how often frees fall into unsorted/small/large bins on modern systems.
+
+### Quick crafting of a safe-linked fd (for tcache poisoning)
+
+```py
+# Given a leaked heap pointer to an entry located at &entry->next == POS
+# compute the protected fd that points to TARGET
+protected_fd = TARGET ^ (POS >> 12)
+```
+
+- For a full tcache poisoning walkthrough (and its limits under safe-linking), see:
+  
+  {{#ref}}
+  ../tcache-bin-attack.md
+  {{#endref}}
+
+### Forcing frees to hit unsorted/small bins during research
+
+Sometimes you want to avoid tcache entirely in a local lab to observe classic `_int_free` behaviour (unsorted bin consolidation, etc.). You can do this with GLIBC_TUNABLES:
 
+```bash
+# Disable tcache completely
+GLIBC_TUNABLES=glibc.malloc.tcache_count=0 ./vuln
 
+# Pre-2.42: shrink the maximum cached request size to 0
+GLIBC_TUNABLES=glibc.malloc.tcache_max=0 ./vuln
 
+# 2.42+: cap the new large-cache threshold (bytes)
+GLIBC_TUNABLES=glibc.malloc.tcache_max_bytes=0 ./vuln
+```
+
+Related reading within HackTricks:
+
+- First-fit/unsorted behaviour and overlap tricks: 
+  
+  {{#ref}}
+  ../use-after-free/first-fit.md
+  {{#endref}}
+
+- Double-free primitives and modern checks:
+  
+  {{#ref}}
+  ../double-free.md
+  {{#endref}}
+
+> Heads-up on hooks: Classic `__malloc_hook`/`__free_hook` overwrite techniques are not viable on modern glibc (≥ 2.34). If you still see them in older write-ups, adapt to alternative targets (IO_FILE, exit handlers, vtables, etc.). For background, check the page on hooks in HackTricks.
+
+{{#ref}}
+../../arbitrary-write-2-exec/aw2exec-__malloc_hook.md
+{{#endref}}
+
+## References
+
+- GNU C Library – NEWS for 2.42 (allocator: larger tcache via tcache_max_bytes, mmapped chunks are not cached) <https://www.gnu.org/software/libc/NEWS.html#2.42>
+- Safe-Linking explanation and internals (Red Hat Developer, 2020) <https://developers.redhat.com/articles/2020/05/13/new-security-hardening-gnu-c-library>
+
+{{#include ../../../banners/hacktricks-training.md}}